SANS Digital Forensics and Incident Response Blog

Our focus this week is on live response, memory forensics, and triage. New tools from Mandiant (Redline) and HBGary (Responder Community Edition) jump into the live response and memory forensics arena and appear to hold some promise for those who need to delegate first response activities to IT support staff who don't have prior Incident Response of Digital Forensics training. In "Good Reads," I've highlighted four articles that I think qualify as must-read. Mark Russinovich has posted a 3-part series over the past few months detailing the process of analyzing Stuxnet (and, by extension, other malware) with Sysinternals tools. Follow that up with Corey Harrell's excellent post on forensic triage, which details a process for answering key questions quickly.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org.

Tools:

Digital Forensics Framework v1.1.0 was released last week. This version adds several new features, including the ability to extract mailbox contents from PST, OST, and PAB files. For more details about the release, check out the release notes.

Mandiant recently released Redline, a new Windows memory forensics and triage tool that "analyzes and rates every running process on a system according to risk."

Mark McKinnon has made all of the ForensicArtifacts.com posts available as an Evernote notebook. As the Forensic Artifacts site grows, this Evernote port will become increasingly useful if kept in sync with the web site. I see the most value coming from this in off-line scenarios, where you could still have the Forensic Artifacts data available via the Evernote application for your mobile device.

Yesterday, Harlan Carvey posted a fairly comprehensive summary of tools that have caught his attention of late. There's some overlap with my short list above, plus a lot more. I suspect most will find at least one tool on Harlan's list that they weren't previously aware of, so it's well worth the time.

Good Reads:

Over the past few months, Mark Russinovich has written an excellent series of articles on Analyzing a Stuxnet Infection with the Sysinternals Tools. The three part series is both an interesting look at how Stuxnet works and, more importantly, an outstanding crash course on how to use the Sysinternals tools for malware analysis. I highly recommend reading it, then reading it again. Here are the links to all three parts: Part 1, Part 2, Part 3.

Corey Harrell recently posted Triaging My Way over on his blog, Journey Into Incident Response. The post presents both the high-level thought process and the specific steps needed to triage user activity "in under two minutes" on a Windows computer. I particularly like this post because it reveals process. Rather than isolating on a specific tool or artifact, Corey narrates the process and demonstrates how to get from question to answer.

News:

The Norwegian military announced last week that it faced a cyber attack shortly after beginning bombing operations in Libya. The attack arrived as a spear phishing campaign targeting "100 military employees, some of them high-ranking" with a malware-laden attachment. Not many details are available, and the incident is still under investigation. But this article implies that the attack was related to Norway's participation in bombing attacks against Moammar Gaddafi's forces.

Voting for the 2011 Forensic 4cast Awards is open until June 5. Check out the nominees and vote for your favorites. Winners will be announced at the SANS Forensics and Incident Response Summit in Austin, TX.

The ACFE is holding a fraud conference in San Diego, CA on June 12-17, 2011. Track E of the conference is geared specifically toward investigators performing digital forensics. More info on the conference is available at http://www.fraudconference.com.

Digital Forensics Case Leads for 20110526 was compiled by Gregory Pendergast, forensicator, incident responder, and jack-0f-all-security at Virginia Commonwealth University. If you have an article to suggest for case leads please email it to caseleads@sans.org.

4 Comments

Joe Garcia

I just want to thank Mark McKinnon for setting up the ForensicArtifacts.com Evernote notebook. It is stuff like this from the community that will help make ForensicArtifacts a successful resource for us all.Joe

Chris Bentley

HI all,I've just started taking a more active look at using Volatility and I though I would point people in the direction of a new windows batch script I've created (Its based on the one from lg's blog ).Blog Post:http://active-security.blogspot.com/2011/05/volatility-script-for-windows.htmlScript location:https://docs.google.com/leaf?id=0Bz2rZ4S-yK8AMDE5ODhhMzEtOGNhMS00N2U3LWEyMzYtNjFkNTFmMjc4ZTZi

"Rob has insight that few others have and that alone is worth the cost of the the course."- Chris Spurrier, Xerox Corp

"Rob is great, just like all of the other SANS instructors I've had."- Chris O'Keefe, The Community Preservation Corp

"I had taken several other forensic courses prior to this one, but none of them or their instructors made understanding forensic methodologies and techniques as clear and understandable as Rob Lee and this course has."- Nathon Heck, Purdue